Co Hijacking Monitor: Collaborative Detecting and Locating Mechanism for HTTP Spectral Hijacking Pan Wang Xuejiao Chen College of Internet of Things Department of Communication Nanjing University of Posts&Telecommunications Nanjing college of Information Technology Emails: [email protected] Emails: [email protected] Abstract—With the rapid growth of mobile internet, mobile in the web browser to display the contents of promotional ads application, like website navigation, searching, e-Shopping and or directly display a web site in order to make a large profit. app download, etc. are all popular in worldwide. Meanwhile, it Several typical methods of HTTP hijacking [6]: (1)Hijackers become more and more popular that traditional HTTP protocol, which is also applying in not only web browsing but also add or tamper the channel code of Ad network or website communication between mobile application clients and servers. promotion. They mainly aimed at website navigation, web Besides, it has made HTTP Hijacking profitable. Furthermore, search engine and some major e-commerce website. The it has brought a lot of troubles for users, network operators and hijackers use HTTP hijacking technology to modify or add ISP. We analyze the principle of HTTP spectral Hijacking and promotional channel code brutally in order to grab the profit present a mechanism of collaboratively detecting and locating called Co HijackingMonitor. Experimental result shows that, of target website promotion. Such hijacking applications have Co HijackingMonitor can solve the hijacking problem effectively. been extended to web navigation and searching, software and mobile application (APK/EXE) downloading, game distribu- Index Terms—hijacking; web security; MITM; http redirect; tion, and so on. (2)Hijackers add extra advertisements on DPI; normal sites, like pop-up windows. HTTP hijacking has caused varying degrees of harm to I. INTRODUCTION both users and service providers. For users, it is not only In recent years, website navigation, search, e-commerce, easy to leak the user’s sensitive information, but also hijack mobile application download are widely adopted and HTTP a large number of internet user’s behavior. Finally,it is very protocol is becoming more and more popular. HTTP protocol easy to cause the risk of online financial transactions. For is not only used in web browsing, but also a large number service providers, a large number of promotional costs were of communications between mobile application clients and grabed. At the same time, HTTP hijacking can also make servers use HTTP. user’s web browsering fail or redirect. Therefore, the detection This has brought huge underground market space using and prevention of HTTP hijacking are of great significance. HTTP hijacking technology. Besides, it also brought great The first section of this paper introduces the related work. trouble to users, network operators and internet service In the second section, the principle of HTTP hijacking on the providers. Hijacker can hide on the way of all routing nodes. network link is analyzed in detail. The third section describes The means of hijacking are endless and continue to retrofit, the design scheme of the Co Hijacking Monitor mechanism such as homepage modifying, process hooking, system boot in detail; including TTL detection based on dynamic updating hijacking, LSP injection, browser plug-in hijacking [1], HTTP method of target website routing hash table, HTTP response proxy filter [2], kernel data packet hijacking [3], bootkit [4], behavior, cooperative monitoring and traceability. In the fourth arXiv:1804.01237v1 [cs.CR] 4 Apr 2018 CDN cache pollution [5]. section, the experiment is carried out in a real network. We Because network operators own the network link, they have evaluate the ability of Co Hijacking to detect and locate the inherent advantages for HTTP hijacking. The usual way is HTTP spectral hijacking attack. spectral hijacking bypassing communication link. From the point of view of end-to-end, HTTP hijacking could occur in the II. RELATED WORK side of internet terminal, network link and cloud. This article In recent years, both the industry and academic pay much specifically aimed at the research of HTTP hijacking and attention to the problem of HTTP hijacking on the operator’s detecting technology on the network link( or called spectral network links.However, it is still very difficult for network hijacking). HTTP hijacking, in short, is an attack to monitor operators to detect HTTP spectral hijacking in time. The HTTP message in a dedicated data channel established by the existing detection schemes are either not practical enough or user and the web server. Once meeting the default conditions, lack of efficiency. Details are below. the hijacker will insert the well-designed network data packets In this paper, we think that we should start from the prin- into the normal data stream. The purpose is to allow the client ciple of hijacking if we plan to find a practical and effective program to interpret the error’ data and pop up a new window method of detecting HTTP spectral Hijacking. We should find out the rule of the HTTP spectral hijacking and then build the model of spectral hijacking originally. In addition, there are a large number of links in the communication network.That is to say, hijacker can attack from a lot of nodes of network, so it is necessary to use cooperative method of monitoring in order to cover all the possible attack points. From the point of view of the target website, the related work in the field of spectral hijacking can be classified into two categories: One is DNS hijacking, the other is HTTP hijacking. The DNS hijacking occurs frequently on the network link, because DNS server is more concentrated, attackers is easy to deploy Fig. 1. spectral hijacking topology on network link attacking devices. So this kind of attacks have frequently emerged since 2003, until 2015 when Baidu sued China GET requests, etc. When a normal HTTP session request Chongqing Telecom DNS hijacking, which made it reach is routed through the device, the acquisition device uses the peak [7]. The detection and location of DNS hijacking the HTTP hijacking technique to hijack the HTTP session, can be divided into three types: Passive monitoring detection, and implement the next attack, such as sending camouflage false packet detection and cross check query. The method of response packet to the hijacked client in order to force the passive monitoring is mainly to capture all DNS requests and client to jump to a false site, etc. responses pairs, and then detect hijacking attacks by behaviors analysis [8]. False message detection using the initiative to B. HTTP hijacking principle send a probe to detect whether there is a DNS hijacking [6, 8]. After the web server that is accessed by a user’s browser Cross check query is mainly to further reverse the query of and sends an HTTP request, routers of the operator will the results of DNS analysis, and to detect hijacking attacks first receive the HTTP request, the bypass device of the by determining whether the two result of query are consistent. operator routers also received a copy of the HTTP request Each of these methods has its advantages and disadvantages, after spectral or mirroring. Then send camouflage response in which the passive monitoring detection is a passive way, packet for hijacking before the web server returning the data. the other two are active. Passive monitoring detection will not The browser will jump to the target web site after receiving cause the network’s additional traffic, but the method cannot the camouflage response, the real data of the web server will apply to the new attack or variant means with the change be discarded after the true data of the web server. of DNS hijacking behavior. False packet detection requires a large number of active packets to send, it will increase extra burden over the network. Cross detection query greatly depends on the capabilities of DNS server with reverse query service , but a lot of DNS does not have the ability. Because HTTP spectral hijacking is a kind of new attack in recent years, the related research work is less accumulated. Network operators mostly use the source address detection method to detect whether there are packets with fake addresses in the network [9, 10]. But because there are a lot of other network attacks, such as DDoS, which also uses a fake address, so this method cannot be applied to identify and detect the HTTP hijacking accurately. Some researchers use flow identification methods to detect such attacks [11–13]. However, this kind of method is often Fig. 2. HTTP response 302 redirect hijacking schematic unable to achieve accurate identification. So it is a lack of operability in real network. According to the different disguised response package, can be divided into 302 redirect hijacking and 200 OK hijacking III. HTTP HIJACKING PRINCIPLE ANALYSIS method. As shown in Fig. 2 and Fig. 3. HTTP 302 redirect A. Spectral hijacking deployment structure hijacking, as its name implies, that is, in the way of HTTP As shown in Fig. 1, under usual circumstances, the attacker 302 redirect response to disguise the return of the response sniffs all the spectral traffic information by deploying the packet, and fill in the hijacking target site URL in the jumping related traffic acquisition device at the core router. There are URL in the internal packet, in order to achieve the purpose other circumstances where operators deploy DPI/CDN/ cache of forcing users to visit the target site B browser. HTTP 200 and other systems in bypass which hijack attackers use to OK hijacking is to use HTTP 200 OK response to camouflage launch attacks. The acquisition device can be configured by response packet, and inject a script in the JS script, in order policy, only collect part of traffic such as DNS, HTTP uplink to achieve forced users to display the browser hijacking side and the TTL value is the same packet camouflage, because spectral hijack points are fixed, the camouflage response to the user’s routing number is basically the same.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages7 Page
-
File Size-